IBM Resilient Incident Response Platform is an Incident Response Platform that collects and manages information about security related incidents and compromised personal identifiable data.
You can configure InsightIDR to send incident and alert data to the IBM Resilient platform.
Before You Begin
For on-premises customers, the Resilient Platform can accept data from other SIEMs, such as InsightIDR, in the form of “Threat Services,” which you can manage from the Threat Source Directory in the Resilient application. This requires the Security Module in your Resilient license.
In order to integrate InsightIDR as a Threat Service, ensure you have access to the following:
- Master Administrator account
- Command line access to the Resilient application
- InsightIDR API Token and account name
- Connection to an AWS Server
Once enabled, complete the following:
Register the Threat Service
The Resilient Platform is the user interface that you can use to make changes to your account and configurations. You can also access the platform to make changes through the Resilient appliance command line.
Complete the following steps in the command line to register InsightIDR as a threat service:
- Log in to the Resilient appliance using an SSH client.
- At the prompt, enter the following command:
1$ sudo resutil threatserviceedit \2-name "InsightIDR" \3-resturl https://api.< InsightIDR api URL> /resilient/ \4-user <InsightIDR account name> \5-password <InsightIDR API Token>
It may take several moments before the command initializes.
- Once complete, test the connectivity with the following command:
$ sudo resutil threatservicetest -name "InsightIDR".
A confirmation message will appear that reads “Successfully Connected to InsightIDR.”
Verify the Threat Service
- As the Master Administrator, log into the Resilient Platform interface.
- Select your username in the upper right corner and then select Administrator Settings > Threat Sources.
- At the bottom of the page, confirm that you see InsightIDR and that the toggle is set to ON.
- To turn off InsightIDR as a Threat Service, click the toggle to turn the connection off.
Add an Artifact
After you verify that the Threat Service is working, Resilient will perform an automatic “artifact lookup” each time an incident occurs from the Threat Service, or InsightIDR. An artifact is data that contextualizes an incident, such as a hash.
When an incident occurs in InsightIDR, Resilient will automatically add the alert details as artifacts. You can also add artifacts manually to the Resilient Platform. Read more about adding Resilient Artifacts here: https://www.ibm.com/support/knowledgecenter/en/SSBRUQ_28.0.0/com.ibm.resilient.doc/master_admin/resilient_m_admin_settings_artifacts.htm
Read more about adding artifacts from emails automatically with an IBM script: https://exchange.xforce.ibmcloud.com/hub/extension/4ba70106b6f2dfa77cb1e3c921db7ff5
How to Configure This Event Source
Although you are configuring InsightIDR to send its own data to the Resilient Platform, you must configure an event source to establish the connection between the two.
To configure the connection between IBM Resilient and InsightIDR:
- From your InsightIDR dashboard, select Data Collection on the left hand menu
- At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source
- Select the Data Exporter icon from the Security Data section. The “Add Event Source” panel appears.
- Select your collector and your event source. You can name your event source if you want to.
- Enter the Hostname for Resilient server, or the IP for your Resilient platform. Do not include the
- Enter the HTTP port of the API, or the port that should accept incoming data.
- Select which types of data you want to export. You can send both alert data and investigation data.
- Choose your credentials or optionally create a new credential.
- The username should be the registered Resilient master administrator account.
- Enter the password for the registered Resilient master admin account.
- Enter the Resilient Systems Organization ID. This is your Organization name in the form of a string.
- If you only have one organization using Resilient, you can leave this field blank.
- Click Save.